ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1530597 - in /webservices/wss4j/trunk/ws-security-stax/src: main/java/org/apache/wss4j/stax/ main/java/org/apache/wss4j/stax/ext/ main/java/org/apache/wss4j/stax/impl/processor/output/ test/java/org/apache/wss4j/stax/test/
Date Wed, 09 Oct 2013 13:28:15 GMT
Author: coheigea
Date: Wed Oct  9 13:28:15 2013
New Revision: 1530597

URL: http://svn.apache.org/r1530597
Log:
First refactor of how security tokens are referenced + set up for the streaming layer

Removed:
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/KerberosSecurityTokenOutputProcessor.java
Modified:
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/DerivedKeyTokenTest.java

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ConfigurationConverter.java Wed Oct  9 13:28:15 2013
@@ -484,24 +484,48 @@ public final class ConfigurationConverte
         String sigC14nAlgo = getString(ConfigurationConstants.SIG_C14N_ALGO, config);
         properties.setSignatureCanonicalizationAlgorithm(sigC14nAlgo);
         
-        String sigParts = getString(ConfigurationConstants.SIGNATURE_PARTS, config);
+        Object sigParts = config.get(ConfigurationConstants.SIGNATURE_PARTS);
         if (sigParts != null) {
-            List<SecurePart> parts = new ArrayList<SecurePart>();
-            splitEncParts(sigParts, parts, WSSConstants.NS_SOAP11);
-            for (SecurePart part : parts) {
-                part.setDigestMethod(sigDigestAlgo);
-                properties.addSignaturePart(part);
+            if (sigParts instanceof String) {
+                List<SecurePart> parts = new ArrayList<SecurePart>();
+                splitEncParts((String)sigParts, parts, WSSConstants.NS_SOAP11);
+                for (SecurePart part : parts) {
+                    part.setDigestMethod(sigDigestAlgo);
+                    properties.addSignaturePart(part);
+                }
+            } else if (sigParts instanceof List<?>) {
+                List<?> sigPartsList = (List<?>)sigParts;
+                for (Object obj : sigPartsList) {
+                    if (obj instanceof SecurePart) {
+                        SecurePart securePart = (SecurePart)obj;
+                        System.out.println("ADDING SIG PART: " + securePart.getName());
+                        securePart.setDigestMethod(sigDigestAlgo);
+                        properties.addSignaturePart(securePart);
+                    }
+                }
             }
         }
         
-        sigParts = getString(ConfigurationConstants.OPTIONAL_SIGNATURE_PARTS, config);
+        sigParts = config.get(ConfigurationConstants.OPTIONAL_SIGNATURE_PARTS);
         if (sigParts != null) {
-            List<SecurePart> parts = new ArrayList<SecurePart>();
-            splitEncParts(sigParts, parts, WSSConstants.NS_SOAP11);
-            for (SecurePart part : parts) {
-                part.setRequired(false);
-                part.setDigestMethod(sigDigestAlgo);
-                properties.addSignaturePart(part);
+            if (sigParts instanceof String) {
+                List<SecurePart> parts = new ArrayList<SecurePart>();
+                splitEncParts((String)sigParts, parts, WSSConstants.NS_SOAP11);
+                for (SecurePart part : parts) {
+                    part.setRequired(false);
+                    part.setDigestMethod(sigDigestAlgo);
+                    properties.addSignaturePart(part);
+                }
+            } else if (sigParts instanceof List<?>) {
+                List<?> sigPartsList = (List<?>)sigParts;
+                for (Object obj : sigPartsList) {
+                    if (obj instanceof SecurePart) {
+                        SecurePart securePart = (SecurePart)obj;
+                        securePart.setDigestMethod(sigDigestAlgo);
+                        securePart.setRequired(false);
+                        properties.addSignaturePart(securePart);
+                    }
+                }
             }
         }
         
@@ -518,22 +542,43 @@ public final class ConfigurationConverte
             properties.setEncryptionKeyIdentifier(convEncKeyIdentifier);
         }
         
-        String encParts = getString(ConfigurationConstants.ENCRYPTION_PARTS, config);
+        Object encParts = config.get(ConfigurationConstants.ENCRYPTION_PARTS);
         if (encParts != null) {
-            List<SecurePart> parts = new ArrayList<SecurePart>();
-            splitEncParts(encParts, parts, WSSConstants.NS_SOAP11);
-            for (SecurePart part : parts) {
-                properties.addEncryptionPart(part);
+            if (encParts instanceof String) {
+                List<SecurePart> parts = new ArrayList<SecurePart>();
+                splitEncParts((String)encParts, parts, WSSConstants.NS_SOAP11);
+                for (SecurePart part : parts) {
+                    properties.addEncryptionPart(part);
+                }
+            } else if (encParts instanceof List<?>) {
+                List<?> encPartsList = (List<?>)encParts;
+                for (Object obj : encPartsList) {
+                    if (obj instanceof SecurePart) {
+                        SecurePart securePart = (SecurePart)obj;
+                        properties.addEncryptionPart(securePart);
+                    }
+                }
             }
         }
         
-        encParts = getString(ConfigurationConstants.OPTIONAL_ENCRYPTION_PARTS, config);
+        encParts = config.get(ConfigurationConstants.OPTIONAL_ENCRYPTION_PARTS);
         if (encParts != null) {
-            List<SecurePart> parts = new ArrayList<SecurePart>();
-            splitEncParts(encParts, parts, WSSConstants.NS_SOAP11);
-            for (SecurePart part : parts) {
-                part.setRequired(false);
-                properties.addEncryptionPart(part);
+            if (encParts instanceof String) {
+                List<SecurePart> parts = new ArrayList<SecurePart>();
+                splitEncParts((String)encParts, parts, WSSConstants.NS_SOAP11);
+                for (SecurePart part : parts) {
+                    part.setRequired(false);
+                    properties.addEncryptionPart(part);
+                }
+            } else if (encParts instanceof List<?>) {
+                List<?> encPartsList = (List<?>)encParts;
+                for (Object obj : encPartsList) {
+                    if (obj instanceof SecurePart) {
+                        SecurePart securePart = (SecurePart)obj;
+                        securePart.setRequired(false);
+                        properties.addEncryptionPart(securePart);
+                    }
+                }
             }
         }
         

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java Wed Oct  9 13:28:15 2013
@@ -18,22 +18,41 @@
  */
 package org.apache.wss4j.stax.ext;
 
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.stax.impl.processor.output.*;
+import org.apache.wss4j.stax.impl.securityToken.KerberosClientSecurityToken;
+import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
 import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
 import org.apache.xml.security.stax.ext.OutboundSecurityContext;
 import org.apache.xml.security.stax.ext.OutputProcessor;
+import org.apache.xml.security.stax.ext.SecurityContext;
 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
 import org.apache.xml.security.stax.impl.DocumentContextImpl;
 import org.apache.xml.security.stax.impl.OutboundSecurityContextImpl;
 import org.apache.xml.security.stax.impl.OutputProcessorChainImpl;
 import org.apache.xml.security.stax.impl.XMLSecurityStreamWriter;
 import org.apache.xml.security.stax.impl.processor.output.FinalOutputProcessor;
+import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
+import org.apache.xml.security.stax.impl.util.IDGenerator;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventListener;
+import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
+import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
+import org.apache.xml.security.stax.securityToken.SecurityToken;
+import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
 
+import javax.crypto.KeyGenerator;
+import javax.crypto.spec.SecretKeySpec;
 import javax.xml.stream.XMLStreamWriter;
+
 import java.io.OutputStream;
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
 import java.util.List;
 
 /**
@@ -137,6 +156,30 @@ public class OutboundWSSec {
             initializeOutputProcessor(outputProcessorChain, securityHeaderOutputProcessor, null);
             //todo some combinations are not possible atm: eg Action.SIGNATURE and Action.USERNAMETOKEN_SIGNED
             //todo they use the same signature parts
+            boolean signatureAction = false;
+            boolean encryptionAction = false;
+            boolean signedSAML = false;
+            boolean kerberos = false;
+            boolean signatureKerberos = false;
+            boolean encryptionKerberos = false;
+            boolean derivedSignature = false;
+            boolean derivedEncryption = false;
+            
+            // Check to see whether we have a derived key signature, but not encryption, using
+            // an encrypted key reference (as we only want one encrypted key here...)
+            boolean derivedSignatureButNotDerivedEncryption = false;
+            if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
+                for (int i = 0; i < securityProperties.getOutAction().length; i++) {
+                    XMLSecurityConstants.Action action = securityProperties.getOutAction()[i];
+                    if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
+                        derivedSignatureButNotDerivedEncryption = true;
+                    } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
+                        derivedSignatureButNotDerivedEncryption = false;
+                        break;
+                    }
+                }
+            }
+            
             for (int i = 0; i < securityProperties.getOutAction().length; i++) {
                 XMLSecurityConstants.Action action = securityProperties.getOutAction()[i];
                 if (WSSConstants.TIMESTAMP.equals(action)) {
@@ -144,14 +187,16 @@ public class OutboundWSSec {
                     initializeOutputProcessor(outputProcessorChain, timestampOutputProcessor, action);
 
                 } else if (WSSConstants.SIGNATURE.equals(action)) {
+                    signatureAction = true;
                     final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
-                            new BinarySecurityTokenOutputProcessor();
+                        new BinarySecurityTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
 
                     final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
 
                 } else if (WSSConstants.ENCRYPT.equals(action)) {
+                    encryptionAction = true;
                     if (securityProperties.isEncryptSymmetricEncrytionKey()) {
                         final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
                             new BinarySecurityTokenOutputProcessor();
@@ -181,20 +226,24 @@ public class OutboundWSSec {
                     initializeOutputProcessor(outputProcessorChain, signatureConfirmationOutputProcessor, action);
 
                 } else if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
-                    final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
-                            new BinarySecurityTokenOutputProcessor();
-                    initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
-
                     if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
-                        final EncryptedKeyOutputProcessor encryptedKeyOutputProcessor = new EncryptedKeyOutputProcessor();
-                        initializeOutputProcessor(outputProcessorChain, encryptedKeyOutputProcessor, action);
-
+                        if (derivedSignatureButNotDerivedEncryption) {
+                            final EncryptedKeyOutputProcessor encryptedKeyOutputProcessor = new EncryptedKeyOutputProcessor();
+                            initializeOutputProcessor(outputProcessorChain, encryptedKeyOutputProcessor, action);
+                        }
+                        encryptionAction = true;
+                        derivedEncryption = true;
                     } else if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.SecurityContextToken) {
                         final SecurityContextTokenOutputProcessor securityContextTokenOutputProcessor =
                                 new SecurityContextTokenOutputProcessor();
                         initializeOutputProcessor(outputProcessorChain, securityContextTokenOutputProcessor, action);
-
+                        signatureAction = true;
+                        derivedSignature = true;
+                    } else {
+                        signatureAction = true;
+                        derivedSignature = true;
                     }
+                    
                     final DerivedKeyTokenOutputProcessor derivedKeyTokenOutputProcessor = new DerivedKeyTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, derivedKeyTokenOutputProcessor, action);
 
@@ -202,9 +251,8 @@ public class OutboundWSSec {
                     initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
 
                 } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
-                    final BinarySecurityTokenOutputProcessor binarySecurityTokenOutputProcessor =
-                            new BinarySecurityTokenOutputProcessor();
-                    initializeOutputProcessor(outputProcessorChain, binarySecurityTokenOutputProcessor, action);
+                    encryptionAction = true;
+                    derivedEncryption = true;
 
                     if (securityProperties.getDerivedKeyTokenReference() == WSSConstants.DerivedKeyTokenReference.EncryptedKey) {
                         final EncryptedKeyOutputProcessor encryptedKeyOutputProcessor = new EncryptedKeyOutputProcessor();
@@ -223,6 +271,8 @@ public class OutboundWSSec {
                     initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
 
                 } else if (WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
+                    signatureAction = true;
+                    signedSAML = true;
                     final SAMLTokenOutputProcessor samlTokenOutputProcessor = new SAMLTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, samlTokenOutputProcessor, action);
 
@@ -233,26 +283,53 @@ public class OutboundWSSec {
                     final SAMLTokenOutputProcessor samlTokenOutputProcessor = new SAMLTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, samlTokenOutputProcessor, action);
                 } else if (WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(action)) {
-                    final KerberosSecurityTokenOutputProcessor kerberosTokenOutputProcessor =
-                            new KerberosSecurityTokenOutputProcessor();
+                    kerberos = true;
+                    signatureKerberos = true;
+                    final BinarySecurityTokenOutputProcessor kerberosTokenOutputProcessor =
+                            new BinarySecurityTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
 
                     final WSSSignatureOutputProcessor signatureOutputProcessor = new WSSSignatureOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, signatureOutputProcessor, action);
                 } else if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(action)) {
-                    final KerberosSecurityTokenOutputProcessor kerberosTokenOutputProcessor =
-                            new KerberosSecurityTokenOutputProcessor();
+                    kerberos = true;
+                    encryptionKerberos = true;
+                    final BinarySecurityTokenOutputProcessor kerberosTokenOutputProcessor =
+                            new BinarySecurityTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
 
                     final EncryptOutputProcessor encryptOutputProcessor = new EncryptOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, encryptOutputProcessor, action);
                 } else if (WSSConstants.KERBEROS_TOKEN.equals(action)) {
-                    final KerberosSecurityTokenOutputProcessor kerberosTokenOutputProcessor =
-                        new KerberosSecurityTokenOutputProcessor();
+                    kerberos = true;
+                    final BinarySecurityTokenOutputProcessor kerberosTokenOutputProcessor =
+                        new BinarySecurityTokenOutputProcessor();
                     initializeOutputProcessor(outputProcessorChain, kerberosTokenOutputProcessor, action);
                 }
             }
             
+            // Set up appropriate keys
+            if (signatureAction) {
+                setupSignatureKey(outputProcessorChain, securityProperties, signedSAML);
+            }
+            if (encryptionAction) {
+                setupEncryptionKey(outputProcessorChain, securityProperties);
+            }
+            if (kerberos) {
+                setupKerberosKey(outputProcessorChain, securityProperties, 
+                                 signatureKerberos, encryptionKerberos);
+            }
+            if (derivedSignature) {
+                String id = 
+                    outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE);
+                setDerivedIdentifier(outputProcessorChain, id);
+            }
+            if (derivedEncryption) {
+                String id = 
+                    outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY);
+                setDerivedIdentifier(outputProcessorChain, id);
+            }
+            
             final SecurityHeaderReorderProcessor securityHeaderReorderProcessor = new SecurityHeaderReorderProcessor();
             initializeOutputProcessor(outputProcessorChain, securityHeaderReorderProcessor, null);
             
@@ -280,4 +357,300 @@ public class OutboundWSSec {
         outputProcessor.setAction(action);
         outputProcessor.init(outputProcessorChain);
     }
+    
+    private void setupSignatureKey(
+        OutputProcessorChainImpl outputProcessorChain,
+        WSSSecurityProperties securityProperties,
+        boolean signedSAML
+    ) throws XMLSecurityException {
+        final String signatureAlgorithm = securityProperties.getSignatureAlgorithm();
+        
+        GenericOutboundSecurityToken securityToken = 
+            getOutboundSecurityToken(outputProcessorChain, WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE);
+        // First off, see if we have a supplied token with the correct keys for 
+        // (a)symmetric signature
+        if (securityToken != null && signatureAlgorithm != null) {
+            if (signatureAlgorithm.contains("hmac-sha")
+                && securityToken.getSecretKey(signatureAlgorithm) != null) {
+                return;
+            } else if (!signatureAlgorithm.contains("hmac-sha")
+                && (securityToken.getPublicKey() != null
+                    || securityToken.getX509Certificates() != null)) {
+                return;
+            }
+        }
+        
+        // We have no supplied key. So use the PasswordCallback to get a secret key or password
+        String alias = securityProperties.getSignatureUser();
+        WSPasswordCallback pwCb = new WSPasswordCallback(alias, WSPasswordCallback.Usage.SIGNATURE);
+            WSSUtils.doPasswordCallback(securityProperties.getCallbackHandler(), pwCb);
+      
+        String password = pwCb.getPassword();
+        byte[] secretKey = pwCb.getKey();
+        Key key = null;
+        X509Certificate[] x509Certificates = null;
+        try {
+            if (password != null && securityProperties.getSignatureCrypto() != null) {
+                key = securityProperties.getSignatureCrypto().getPrivateKey(alias, password);
+                CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+                cryptoType.setAlias(alias);
+                x509Certificates = securityProperties.getSignatureCrypto().getX509Certificates(cryptoType);
+                if (x509Certificates == null || x509Certificates.length == 0) {
+                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noUserCertsFound", alias);
+                }
+            } else if (secretKey != null) {
+                x509Certificates = null;
+                String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(signatureAlgorithm);
+                key = new SecretKeySpec(secretKey, algoFamily);
+            } else {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noPassword", alias);
+            }
+        } catch (WSSecurityException ex) {
+            if (signedSAML && securityProperties.getSamlCallbackHandler() != null) {
+                // We may get the keys we require from the SAML CallbackHandler...
+                return;
+            }
+            throw ex;
+        }
+
+        // Create a new outbound Signature token for the generated key / cert
+        final String id = IDGenerator.generateID(null);
+        final GenericOutboundSecurityToken binarySecurityToken =
+                new GenericOutboundSecurityToken(id, WSSecurityTokenConstants.X509V3Token, key, x509Certificates);
+          
+        // binarySecurityToken.setSha1Identifier(reference);
+        final SecurityTokenProvider<OutboundSecurityToken> binarySecurityTokenProvider =
+                new SecurityTokenProvider<OutboundSecurityToken>() {
+
+            @Override
+            public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
+                return binarySecurityToken;
+            }
+
+            @Override
+            public String getId() {
+                return id;
+            }
+        };
+        
+        outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(id, binarySecurityTokenProvider);
+        outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, id);
+    }
+    
+    private void setupEncryptionKey(
+        OutputProcessorChainImpl outputProcessorChain,
+        WSSSecurityProperties securityProperties
+    ) throws XMLSecurityException {
+        final String symmetricEncryptionAlgorithm = securityProperties.getEncryptionSymAlgorithm();
+        
+        // First check to see if a Symmetric key is available
+        GenericOutboundSecurityToken securityToken = 
+            getOutboundSecurityToken(outputProcessorChain, WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
+        if (securityToken == null || securityToken.getSecretKey(symmetricEncryptionAlgorithm) == null) {
+            //prepare the symmetric session key for all encryption parts
+            String keyAlgorithm = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(securityProperties.getEncryptionSymAlgorithm());
+            KeyGenerator keyGen;
+            try {
+                keyGen = KeyGenerator.getInstance(keyAlgorithm);
+            } catch (NoSuchAlgorithmException e) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+            }
+            //the sun JCE provider expects the real key size for 3DES (112 or 168 bit)
+            //whereas bouncy castle expects the block size of 128 or 192 bits
+            if (keyAlgorithm.contains("AES")) {
+                int keyLength = JCEAlgorithmMapper.getKeyLengthFromURI(securityProperties.getEncryptionSymAlgorithm());
+                keyGen.init(keyLength);
+            }
+
+            final Key symmetricKey = keyGen.generateKey();
+            final String symmId = IDGenerator.generateID(null);
+
+            final GenericOutboundSecurityToken symmetricSecurityToken = 
+                new GenericOutboundSecurityToken(symmId, WSSecurityTokenConstants.EncryptedKeyToken, symmetricKey);
+            securityToken = symmetricSecurityToken;
+            final SecurityTokenProvider<OutboundSecurityToken> securityTokenProvider =
+                new SecurityTokenProvider<OutboundSecurityToken>() {
+
+                @Override
+                public OutboundSecurityToken getSecurityToken() throws XMLSecurityException {
+                    return symmetricSecurityToken;
+                }
+
+                @Override
+                public String getId() {
+                    return symmId;
+                }
+            };
+
+            outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(symmId, securityTokenProvider);
+            outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, symmId);
+        }
+        
+        if (!securityProperties.isEncryptSymmetricEncrytionKey()) {
+            // No EncryptedKey Token required here, so return
+            return;
+        }
+
+        // Set up a security token with the certs required to encrypt the symmetric key
+        X509Certificate[] x509Certificates = null;
+        X509Certificate x509Certificate = getReqSigCert(outputProcessorChain.getSecurityContext());
+        if (securityProperties.isUseReqSigCertForEncryption()) {
+            if (x509Certificate == null) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noCert");
+            }
+            x509Certificates = new X509Certificate[1];
+            x509Certificates[0] = x509Certificate;
+        } else if (securityProperties.getEncryptionUseThisCertificate() != null) {
+            x509Certificate = securityProperties.getEncryptionUseThisCertificate();
+            x509Certificates = new X509Certificate[1];
+            x509Certificates[0] = x509Certificate;
+        } else {
+            CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+            cryptoType.setAlias(securityProperties.getEncryptionUser());
+            Crypto crypto = securityProperties.getEncryptionCrypto();
+            x509Certificates = crypto.getX509Certificates(cryptoType);
+            if (x509Certificates == null || x509Certificates.length == 0) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noUserCertsFound",
+                                              securityProperties.getEncryptionUser());
+            }
+        }
+        
+        // Check for Revocation
+        if (securityProperties.isEnableRevocation()) {
+            Crypto crypto = securityProperties.getEncryptionCrypto();
+            crypto.verifyTrust(x509Certificates, true);
+        }
+
+        // Create a new outbound EncryptedKey token for the cert
+        final String id = IDGenerator.generateID(null);
+        final GenericOutboundSecurityToken encryptedKeyToken =
+            new GenericOutboundSecurityToken(id, WSSecurityTokenConstants.X509V3Token, null, x509Certificates);
+   
+        encryptedKeyToken.addWrappedToken(securityToken);
+        securityToken.setKeyWrappingToken(encryptedKeyToken);
+        
+        // binarySecurityToken.setSha1Identifier(reference);
+        final SecurityTokenProvider<OutboundSecurityToken> encryptedKeyTokenProvider =
+            new SecurityTokenProvider<OutboundSecurityToken>() {
+
+            @Override
+            public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
+                return encryptedKeyToken;
+            }
+
+            @Override
+            public String getId() {
+                return id;
+            }
+        };
+
+        outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(id, encryptedKeyTokenProvider);
+        outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, id);
+    }
+    
+    private void setupKerberosKey(
+        OutputProcessorChainImpl outputProcessorChain,
+        WSSSecurityProperties securityProperties,
+        boolean signature,
+        boolean encryption
+    ) throws XMLSecurityException {
+        GenericOutboundSecurityToken securityToken = 
+            getOutboundSecurityToken(outputProcessorChain, WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS);
+        String kerberosId = null;
+        // First off, see if we have a supplied token
+        if (securityToken == null) {
+            // If not then generate a new key
+            final String id = IDGenerator.generateID(null);
+            kerberosId = id;
+            final KerberosClientSecurityToken kerberosClientSecurityToken =
+                    new KerberosClientSecurityToken(
+                        securityProperties.getCallbackHandler(), id
+                    );
+    
+            final SecurityTokenProvider<OutboundSecurityToken> kerberosSecurityTokenProvider =
+                    new SecurityTokenProvider<OutboundSecurityToken>() {
+    
+                @Override
+                public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
+                    return kerberosClientSecurityToken;
+                }
+    
+                @Override
+                public String getId() {
+                    return id;
+                }
+            };
+            
+            outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(id, kerberosSecurityTokenProvider);
+            outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS, id);
+        } else {
+            kerberosId = securityToken.getId();
+        }
+        
+        if (signature) {
+            outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, kerberosId);
+        }
+        if (encryption) {
+            outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, kerberosId);
+        }
+        
+    }
+    
+    // Return an outbound SecurityToken object for a given id (encryption/signature)
+    private GenericOutboundSecurityToken getOutboundSecurityToken(
+        OutputProcessorChainImpl outputProcessorChain, String id
+    ) throws XMLSecurityException {
+        String tokenId = 
+            outputProcessorChain.getSecurityContext().get(id);
+        SecurityTokenProvider<OutboundSecurityToken> signatureTokenProvider = null;
+        if (tokenId != null) {
+            signatureTokenProvider = 
+                outputProcessorChain.getSecurityContext().getSecurityTokenProvider(tokenId);
+            if (signatureTokenProvider != null) {
+                return (GenericOutboundSecurityToken)signatureTokenProvider.getSecurityToken();
+            }
+        }
+        
+        return null;
+    }
+    
+    private X509Certificate getReqSigCert(SecurityContext securityContext) throws XMLSecurityException {
+        List<SecurityEvent> securityEventList = securityContext.getAsList(SecurityEvent.class);
+        if (securityEventList != null) {
+            for (int i = 0; i < securityEventList.size(); i++) {
+                SecurityEvent securityEvent = securityEventList.get(i);
+                if (securityEvent instanceof TokenSecurityEvent) {
+                    @SuppressWarnings("unchecked")
+                    TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent 
+                        = (TokenSecurityEvent<? extends SecurityToken>) securityEvent;
+                    if (!tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_MainSignature)) {
+                        continue;
+                    }
+                    X509Certificate[] x509Certificates = tokenSecurityEvent.getSecurityToken().getX509Certificates();
+                    if (x509Certificates != null && x509Certificates.length > 0) {
+                        return x509Certificates[0];
+                    }
+                }
+            }
+        }
+        return null;
+    }
+    
+    private void setDerivedIdentifier(OutputProcessorChainImpl outputProcessorChain, String id) {
+        WSSConstants.DerivedKeyTokenReference derivedKeyTokenReference = securityProperties.getDerivedKeyTokenReference();
+        switch (derivedKeyTokenReference) {
+
+            case DirectReference:
+                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, id);
+                break;
+            case EncryptedKey:
+                String symmId = outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
+                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, symmId);
+                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, id);
+                break;
+            case SecurityContextToken:
+                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN, id);
+                break;
+        }
+    }
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSConstants.java Wed Oct  9 13:28:15 2013
@@ -266,7 +266,7 @@ public class WSSConstants extends XMLSec
 
     public static final String NS_WSS_ENC_KEY_VALUE_TYPE = NS11_SOAPMESSAGE_SECURITY + "#EncryptedKey";
 
-    public static final String PROP_USE_THIS_TOKEN_ID_FOR_BST = "PROP_USE_THIS_TOKEN_ID_FOR_BST";
+    public static final String PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS = "PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS";
     public static final String PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY = "PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY";
     public static final String PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN = "PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN";
 

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/BinarySecurityTokenOutputProcessor.java Wed Oct  9 13:28:15 2013
@@ -18,244 +18,106 @@
  */
 package org.apache.wss4j.stax.impl.processor.output;
 
-import org.apache.wss4j.common.crypto.Crypto;
-import org.apache.wss4j.common.crypto.CryptoType;
-import org.apache.wss4j.common.ext.WSPasswordCallback;
-import org.apache.wss4j.common.ext.WSSecurityException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
+
+import org.apache.commons.codec.binary.Base64;
 import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.ext.WSSSecurityProperties;
 import org.apache.wss4j.stax.ext.WSSUtils;
+import org.apache.wss4j.stax.impl.securityToken.KerberosClientSecurityToken;
 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
 import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
-import org.apache.xml.security.stax.ext.*;
+import org.apache.xml.security.stax.ext.AbstractOutputProcessor;
+import org.apache.xml.security.stax.ext.OutputProcessorChain;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
 import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
-import org.apache.xml.security.stax.impl.util.IDGenerator;
-import org.apache.xml.security.stax.securityEvent.SecurityEvent;
-import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
 import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
-import org.apache.xml.security.stax.securityToken.SecurityToken;
-import org.apache.xml.security.stax.securityToken.SecurityTokenConstants.TokenType;
 import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
 
-import javax.crypto.spec.SecretKeySpec;
-import javax.xml.stream.XMLStreamException;
-
-import java.security.Key;
-import java.security.cert.X509Certificate;
-import java.util.List;
-
 public class BinarySecurityTokenOutputProcessor extends AbstractOutputProcessor {
 
     public BinarySecurityTokenOutputProcessor() throws XMLSecurityException {
         super();
+        addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
     }
 
     @Override
     public void processEvent(XMLSecEvent xmlSecEvent, OutputProcessorChain outputProcessorChain) throws XMLStreamException, XMLSecurityException {
         try {
-            final String bstId;
-            final X509Certificate[] x509Certificates;
             GenericOutboundSecurityToken securityToken = null;
-            Key key = null;
-            String reference = null;
-            TokenType tokenType = WSSecurityTokenConstants.X509V3Token;
 
             XMLSecurityConstants.Action action = getAction();
+            String tokenId = null;
             if (WSSConstants.SIGNATURE.equals(action)
-                    || WSSConstants.SAML_TOKEN_SIGNED.equals(action)
-                    || WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
-                // See if a Symmetric Key is already available
-                String tokenId = 
-                    outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE);
-                SecurityTokenProvider<OutboundSecurityToken> signatureTokenProvider = null;
-                if (tokenId != null) {
-                    signatureTokenProvider = 
-                        outputProcessorChain.getSecurityContext().getSecurityTokenProvider(tokenId);
-                    if (signatureTokenProvider != null) {
-                        securityToken = 
-                            (GenericOutboundSecurityToken)signatureTokenProvider.getSecurityToken();
-                        if (securityToken != null) {
-                            key = securityToken.getSecretKey(getSecurityProperties().getSignatureAlgorithm());
-                            reference = securityToken.getSha1Identifier();
-                            tokenType = securityToken.getTokenType();
-                        }
-                    }
-                }
-                
-                if (key == null) {
-                    bstId = IDGenerator.generateID(null);
-                    String alias = ((WSSSecurityProperties) getSecurityProperties()).getSignatureUser();
-                    WSPasswordCallback pwCb = new WSPasswordCallback(alias, WSPasswordCallback.Usage.SIGNATURE);
-                    WSSUtils.doPasswordCallback(((WSSSecurityProperties)getSecurityProperties()).getCallbackHandler(), pwCb);
-                    String password = pwCb.getPassword();
-                    byte[] secretKey = pwCb.getKey();
-                    if (password == null && secretKey == null) {
-                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noPassword", alias);
-                    }
-                    if (password != null) {
-                        key = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().getPrivateKey(alias, password);
-                        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
-                        cryptoType.setAlias(alias);
-                        x509Certificates = ((WSSSecurityProperties) getSecurityProperties()).getSignatureCrypto().getX509Certificates(cryptoType);
-                        if (x509Certificates == null || x509Certificates.length == 0) {
-                            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_SIGNATURE, "noUserCertsFound", alias);
-                        }
-                    } else {
-                        x509Certificates = null;
-                        String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(getSecurityProperties().getSignatureAlgorithm());
-                        key = new SecretKeySpec(secretKey, algoFamily);
-                    }
-                    tokenType = null;
-                } else {
-                    bstId = tokenId;
-                    x509Certificates = null;
-                }
-            } else if (WSSConstants.ENCRYPT.equals(action) ||
-                    WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
-                X509Certificate x509Certificate = getReqSigCert(outputProcessorChain.getSecurityContext());
-                if (((WSSSecurityProperties) getSecurityProperties()).isUseReqSigCertForEncryption()) {
-                    if (x509Certificate == null) {
-                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noCert");
-                    }
-                    x509Certificates = new X509Certificate[1];
-                    x509Certificates[0] = x509Certificate;
-                } else if (getSecurityProperties().getEncryptionUseThisCertificate() != null) {
-                    x509Certificate = getSecurityProperties().getEncryptionUseThisCertificate();
-                    x509Certificates = new X509Certificate[1];
-                    x509Certificates[0] = x509Certificate;
-                } else {
-                    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
-                    WSSSecurityProperties securityProperties = ((WSSSecurityProperties) getSecurityProperties());
-                    cryptoType.setAlias(securityProperties.getEncryptionUser());
-                    Crypto crypto = securityProperties.getEncryptionCrypto();
-                    x509Certificates = crypto.getX509Certificates(cryptoType);
-                    if (x509Certificates == null || x509Certificates.length == 0) {
-                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, "noUserCertsFound",
-                                ((WSSSecurityProperties) getSecurityProperties()).getEncryptionUser());
-                    }
-                }
-                
-                // Check for Revocation
-                WSSSecurityProperties securityProperties = ((WSSSecurityProperties) getSecurityProperties());
-                if (securityProperties.isEnableRevocation()) {
-                    Crypto crypto = securityProperties.getEncryptionCrypto();
-                    crypto.verifyTrust(x509Certificates, true);
-                }
-
-                key = null;
-                bstId = IDGenerator.generateID(null);
-            } else {
-                bstId = IDGenerator.generateID(null);
-                x509Certificates = null;
-                key = null;
+                    || WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
+                tokenId = outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE);
+            } else if (WSSConstants.ENCRYPT.equals(action)) {
+                tokenId = outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY);
+            } else if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(getAction())
+                || WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(getAction())
+                || WSSConstants.KERBEROS_TOKEN.equals(getAction())) {
+                tokenId = outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_KERBEROS);
             }
-
-            final String signatureAlgorithm = getSecurityProperties().getSignatureAlgorithm();
-            final GenericOutboundSecurityToken secToken = securityToken;
-            final GenericOutboundSecurityToken binarySecurityToken =
-                    new GenericOutboundSecurityToken(bstId, tokenType, key, x509Certificates) {
-              
-                @Override
-                public Key getSecretKey(String algorithmURI) throws XMLSecurityException {
-                    if (secToken == null || signatureAlgorithm.equals(algorithmURI)) {
-                        return super.getSecretKey(algorithmURI);
-                    }
-                
-                    return secToken.getSecretKey(algorithmURI);
-                }
-            };
-            binarySecurityToken.setSha1Identifier(reference);
-            final SecurityTokenProvider<OutboundSecurityToken> binarySecurityTokenProvider =
-                    new SecurityTokenProvider<OutboundSecurityToken>() {
-
-                @Override
-                public OutboundSecurityToken getSecurityToken() throws WSSecurityException {
-                    return binarySecurityToken;
+            
+            SecurityTokenProvider<OutboundSecurityToken> tokenProvider = null;
+            if (tokenId != null) {
+                tokenProvider = 
+                    outputProcessorChain.getSecurityContext().getSecurityTokenProvider(tokenId);
+                if (tokenProvider != null) {
+                    securityToken = (GenericOutboundSecurityToken)tokenProvider.getSecurityToken();
                 }
+            }
 
-                @Override
-                public String getId() {
-                    return bstId;
-                }
-            };
-
-            if (WSSConstants.SIGNATURE.equals(action)
-                    || WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
-                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, bstId);
-                boolean includeSignatureToken = 
-                    ((WSSSecurityProperties) getSecurityProperties()).isIncludeSignatureToken();
-                if ((includeSignatureToken 
-                    || WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(getSecurityProperties().getSignatureKeyIdentifier()))
-                    && !WSSecurityTokenConstants.KerberosToken.equals(tokenType)
-                    && !WSSecurityTokenConstants.Saml11Token.equals(tokenType)
-                    && !WSSecurityTokenConstants.Saml20Token.equals(tokenType)) {
-                    FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(binarySecurityToken);
+            if (securityToken != null) {
+                if (WSSConstants.SIGNATURE.equals(action) || WSSConstants.SAML_TOKEN_SIGNED.equals(action)) {
+                    boolean includeSignatureToken = 
+                        ((WSSSecurityProperties) getSecurityProperties()).isIncludeSignatureToken();
+                    if ((includeSignatureToken 
+                        || WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(getSecurityProperties().getSignatureKeyIdentifier()))
+                        && (securityToken.getTokenType() == null 
+                        || WSSecurityTokenConstants.X509V3Token.equals(securityToken.getTokenType()))) {
+                        FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(securityToken);
+                        finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
+                        finalBinarySecurityTokenOutputProcessor.setAction(getAction());
+                        finalBinarySecurityTokenOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
+                        finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
+                        securityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
+                    }
+                } else if (WSSConstants.ENCRYPT.equals(action)
+                    && (securityToken.getTokenType() == null 
+                    || WSSecurityTokenConstants.X509V3Token.equals(securityToken.getTokenType()))) {
+                    if (WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(((WSSSecurityProperties) getSecurityProperties()).getEncryptionKeyIdentifier())) {
+                        FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(securityToken);
+                        finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
+                        finalBinarySecurityTokenOutputProcessor.setAction(getAction());
+                        finalBinarySecurityTokenOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
+                        finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
+                        securityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
+                    }
+                } else if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(getAction())
+                    || WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(getAction())
+                    || WSSConstants.KERBEROS_TOKEN.equals(getAction())) {
+                    FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(securityToken);
                     finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
                     finalBinarySecurityTokenOutputProcessor.setAction(getAction());
                     finalBinarySecurityTokenOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
-                    finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
-                    binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
-                }
-            } else if (WSSConstants.ENCRYPT.equals(action)) {
-                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, bstId);
-                if (WSSecurityTokenConstants.KeyIdentifier_SecurityTokenDirectReference.equals(((WSSSecurityProperties) getSecurityProperties()).getEncryptionKeyIdentifier())) {
-                    FinalBinarySecurityTokenOutputProcessor finalBinarySecurityTokenOutputProcessor = new FinalBinarySecurityTokenOutputProcessor(binarySecurityToken);
-                    finalBinarySecurityTokenOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
-                    finalBinarySecurityTokenOutputProcessor.setAction(getAction());
                     finalBinarySecurityTokenOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
                     finalBinarySecurityTokenOutputProcessor.init(outputProcessorChain);
-                    binarySecurityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
-                }
-            } else if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)
-                    || WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
-
-                WSSConstants.DerivedKeyTokenReference derivedKeyTokenReference = ((WSSSecurityProperties) getSecurityProperties()).getDerivedKeyTokenReference();
-                switch (derivedKeyTokenReference) {
-
-                    case DirectReference:
-                        outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, bstId);
-                        break;
-                    case EncryptedKey:
-                        outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTED_KEY, bstId);
-                        break;
-                    case SecurityContextToken:
-                        outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SECURITYCONTEXTTOKEN, bstId);
-                        break;
+                    securityToken.setProcessor(finalBinarySecurityTokenOutputProcessor);
                 }
             }
-
-            outputProcessorChain.getSecurityContext().registerSecurityTokenProvider(bstId, binarySecurityTokenProvider);
-
         } finally {
             outputProcessorChain.removeProcessor(this);
         }
         outputProcessorChain.processEvent(xmlSecEvent);
     }
 
-    private X509Certificate getReqSigCert(SecurityContext securityContext) throws XMLSecurityException {
-        List<SecurityEvent> securityEventList = securityContext.getAsList(SecurityEvent.class);
-        if (securityEventList != null) {
-            for (int i = 0; i < securityEventList.size(); i++) {
-                SecurityEvent securityEvent = securityEventList.get(i);
-                if (securityEvent instanceof TokenSecurityEvent) {
-                    @SuppressWarnings("unchecked")
-                    TokenSecurityEvent<? extends SecurityToken> tokenSecurityEvent 
-                        = (TokenSecurityEvent<? extends SecurityToken>) securityEvent;
-                    if (!tokenSecurityEvent.getSecurityToken().getTokenUsages().contains(WSSecurityTokenConstants.TokenUsage_MainSignature)) {
-                        continue;
-                    }
-                    X509Certificate[] x509Certificates = tokenSecurityEvent.getSecurityToken().getX509Certificates();
-                    if (x509Certificates != null && x509Certificates.length > 0) {
-                        return x509Certificates[0];
-                    }
-                }
-            }
-        }
-        return null;
-    }
-
     class FinalBinarySecurityTokenOutputProcessor extends AbstractOutputProcessor {
 
         private final OutboundSecurityToken securityToken;
@@ -274,15 +136,35 @@ public class BinarySecurityTokenOutputPr
 
             if (WSSUtils.isSecurityHeaderElement(xmlSecEvent, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
 
+                final QName headerElementName = WSSConstants.TAG_wsse_BinarySecurityToken;
                 WSSUtils.updateSecurityHeaderOrder(
-                        outputProcessorChain, WSSConstants.TAG_wsse_BinarySecurityToken, getAction(), false);
+                        outputProcessorChain, headerElementName, getAction(), false);
 
                 OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
 
-                boolean useSingleCertificate = getSecurityProperties().isUseSingleCert();
-                WSSUtils.createBinarySecurityTokenStructure(
-                        this, subOutputProcessorChain, securityToken.getId(),
-                        securityToken.getX509Certificates(), useSingleCertificate);
+                if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(getAction())
+                    || WSSConstants.SIGNATURE_WITH_KERBEROS_TOKEN.equals(getAction())
+                    || WSSConstants.KERBEROS_TOKEN.equals(getAction())) {
+                    List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(3);
+                    attributes.add(createAttribute(WSSConstants.ATT_NULL_EncodingType, WSSConstants.SOAPMESSAGE_NS10_BASE64_ENCODING));
+                    attributes.add(createAttribute(WSSConstants.ATT_NULL_ValueType, WSSConstants.NS_GSS_Kerberos5_AP_REQ));
+                    attributes.add(createAttribute(WSSConstants.ATT_wsu_Id, securityToken.getId()));
+                    createStartElementAndOutputAsEvent(subOutputProcessorChain, headerElementName, false, attributes);
+                    createCharactersAndOutputAsEvent(subOutputProcessorChain,
+                            new Base64(76, new byte[]{'\n'}).encodeToString(
+                                ((KerberosClientSecurityToken)securityToken).getTicket())
+                    );
+                    createEndElementAndOutputAsEvent(subOutputProcessorChain, headerElementName);
+                    if (WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN.equals(getAction())) {                    
+                        WSSUtils.updateSecurityHeaderOrder(outputProcessorChain, WSSConstants.TAG_xenc_ReferenceList, getAction(), false);                    
+                        WSSUtils.createReferenceListStructureForEncryption(this, subOutputProcessorChain);
+                    }
+                } else {
+                    boolean useSingleCertificate = getSecurityProperties().isUseSingleCert();
+                    WSSUtils.createBinarySecurityTokenStructure(
+                            this, subOutputProcessorChain, securityToken.getId(),
+                            securityToken.getX509Certificates(), useSingleCertificate);
+                }
 
                 outputProcessorChain.removeProcessor(this);
             }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/DerivedKeyTokenOutputProcessor.java Wed Oct  9 13:28:15 2013
@@ -78,8 +78,10 @@ public class DerivedKeyTokenOutputProces
             XMLSecurityConstants.Action action = getAction();
             if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
                 length = JCEAlgorithmMapper.getKeyLengthFromURI(getSecurityProperties().getSignatureAlgorithm()) / 8;
+                System.out.println("SIG LEN: " + length);
             } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
                 length = JCEAlgorithmMapper.getKeyLengthFromURI(getSecurityProperties().getEncryptionSymAlgorithm()) / 8;
+                System.out.println("ENC LEN: " + length);
             }
 
             byte[] label;
@@ -103,7 +105,7 @@ public class DerivedKeyTokenOutputProces
             } catch (ConversationException e) {
                 throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
             }
-
+            
             final byte[] derivedKeyBytes;
             try {
                 byte[] secret;
@@ -161,7 +163,7 @@ public class DerivedKeyTokenOutputProces
                     return wsuIdDKT;
                 }
             };
-
+            
             if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
                 outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_SIGNATURE, wsuIdDKT);
             } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/output/EncryptedKeyOutputProcessor.java Wed Oct  9 13:28:15 2013
@@ -18,6 +18,27 @@
  */
 package org.apache.wss4j.stax.impl.processor.output;
 
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.MGF1ParameterSpec;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.spec.OAEPParameterSpec;
+import javax.crypto.spec.PSource;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
+
 import org.apache.commons.codec.binary.Base64;
 import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSPasswordCallback.Usage;
@@ -28,7 +49,9 @@ import org.apache.wss4j.stax.ext.WSSUtil
 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
 import org.apache.xml.security.exceptions.XMLSecurityException;
 import org.apache.xml.security.stax.config.JCEAlgorithmMapper;
-import org.apache.xml.security.stax.ext.*;
+import org.apache.xml.security.stax.ext.AbstractOutputProcessor;
+import org.apache.xml.security.stax.ext.OutputProcessorChain;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
 import org.apache.xml.security.stax.ext.stax.XMLSecAttribute;
 import org.apache.xml.security.stax.ext.stax.XMLSecEvent;
 import org.apache.xml.security.stax.impl.securityToken.GenericOutboundSecurityToken;
@@ -36,28 +59,6 @@ import org.apache.xml.security.stax.impl
 import org.apache.xml.security.stax.securityToken.OutboundSecurityToken;
 import org.apache.xml.security.stax.securityToken.SecurityTokenProvider;
 
-import javax.crypto.Cipher;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.KeyGenerator;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.spec.OAEPParameterSpec;
-import javax.crypto.spec.PSource;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.xml.namespace.QName;
-import javax.xml.stream.XMLStreamException;
-
-import java.io.IOException;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
-import java.security.Key;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.X509Certificate;
-import java.security.spec.AlgorithmParameterSpec;
-import java.security.spec.MGF1ParameterSpec;
-import java.util.ArrayList;
-import java.util.List;
-
 public class EncryptedKeyOutputProcessor extends AbstractOutputProcessor {
 
     public EncryptedKeyOutputProcessor() throws XMLSecurityException {
@@ -86,7 +87,7 @@ public class EncryptedKeyOutputProcessor
                 outputProcessorChain.getSecurityContext().get(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION);
             SecurityTokenProvider<OutboundSecurityToken> encryptedKeySecurityTokenProvider = null;
             GenericOutboundSecurityToken encryptedKeySecurityToken = null;
-            if (encTokenId != null && !WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(getAction())) {
+            if (encTokenId != null) {
                 encryptedKeySecurityTokenProvider = 
                     outputProcessorChain.getSecurityContext().getSecurityTokenProvider(encTokenId);
                 if (encryptedKeySecurityTokenProvider != null) {
@@ -94,70 +95,24 @@ public class EncryptedKeyOutputProcessor
                         (GenericOutboundSecurityToken)encryptedKeySecurityTokenProvider.getSecurityToken();
                 }
             }
-            
-            if (encryptedKeySecurityToken == null) {
-                // Generate Key
-                //prepare the symmetric session key for all encryption parts
-                String keyAlgorithm = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(securityProperties.getEncryptionSymAlgorithm());
-                KeyGenerator keyGen;
-                try {
-                    keyGen = KeyGenerator.getInstance(keyAlgorithm);
-                } catch (NoSuchAlgorithmException e) {
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
-                }
-                //the sun JCE provider expects the real key size for 3DES (112 or 168 bit)
-                //whereas bouncy castle expects the block size of 128 or 192 bits
-                if (keyAlgorithm.contains("AES")) {
-                    int keyLength = JCEAlgorithmMapper.getKeyLengthFromURI(securityProperties.getEncryptionSymAlgorithm());
-                    keyGen.init(keyLength);
-                }
-    
-                final Key symmetricKey = keyGen.generateKey();
-    
-                final String ekId = IDGenerator.generateID(null);
-    
-                final GenericOutboundSecurityToken securityToken = new GenericOutboundSecurityToken(ekId, WSSecurityTokenConstants.EncryptedKeyToken, symmetricKey);
-                final SecurityTokenProvider<OutboundSecurityToken> securityTokenProvider =
-                        new SecurityTokenProvider<OutboundSecurityToken>() {
-    
-                    @Override
-                    public OutboundSecurityToken getSecurityToken() throws XMLSecurityException {
-                        return securityToken;
-                    }
-    
-                    @Override
-                    public String getId() {
-                        return ekId;
-                    }
-                };
-                
-                encryptedKeySecurityTokenProvider = securityTokenProvider;
-                encryptedKeySecurityToken = securityToken;
-            }
-            
-            encryptedKeySecurityToken.setKeyWrappingToken(wrappingSecurityToken);
-            wrappingSecurityToken.addWrappedToken(encryptedKeySecurityToken);
 
             FinalEncryptedKeyOutputProcessor finalEncryptedKeyOutputProcessor = new FinalEncryptedKeyOutputProcessor(encryptedKeySecurityToken);
             finalEncryptedKeyOutputProcessor.setXMLSecurityProperties(getSecurityProperties());
             finalEncryptedKeyOutputProcessor.setAction(getAction());
             XMLSecurityConstants.Action action = getAction();
             if (WSSConstants.ENCRYPT.equals(action)) {
-                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_ENCRYPTION, encryptedKeySecurityToken.getId());
                 if (wrappingSecurityToken.getProcessor() != null) {
                     finalEncryptedKeyOutputProcessor.addBeforeProcessor(wrappingSecurityToken.getProcessor());
                 } else {
                     finalEncryptedKeyOutputProcessor.addAfterProcessor(EncryptEndingOutputProcessor.class.getName());
                 }
             } else if (WSSConstants.SIGNATURE_WITH_DERIVED_KEY.equals(action)) {
-                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, encryptedKeySecurityToken.getId());
                 if (wrappingSecurityToken.getProcessor() != null) {
                     finalEncryptedKeyOutputProcessor.addBeforeProcessor(wrappingSecurityToken.getProcessor());
                 } else {
                     finalEncryptedKeyOutputProcessor.addBeforeProcessor(WSSSignatureOutputProcessor.class.getName());
                 }
             } else if (WSSConstants.ENCRYPT_WITH_DERIVED_KEY.equals(action)) {
-                outputProcessorChain.getSecurityContext().put(WSSConstants.PROP_USE_THIS_TOKEN_ID_FOR_DERIVED_KEY, encryptedKeySecurityToken.getId());
                 if (wrappingSecurityToken.getProcessor() != null) {
                     finalEncryptedKeyOutputProcessor.addBeforeProcessor(wrappingSecurityToken.getProcessor());
                 } else {

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/DerivedKeyTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/DerivedKeyTokenTest.java?rev=1530597&r1=1530596&r2=1530597&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/DerivedKeyTokenTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/DerivedKeyTokenTest.java Wed Oct  9 13:28:15 2013
@@ -55,6 +55,7 @@ import javax.xml.stream.XMLStreamReader;
 import javax.xml.stream.XMLStreamWriter;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
+
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.security.cert.X509Certificate;
@@ -584,15 +585,9 @@ public class DerivedKeyTokenTest extends
             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_wsc0502_SecurityContextToken.getNamespaceURI(), WSSConstants.TAG_wsc0502_SecurityContextToken.getLocalPart());
             Assert.assertEquals(nodeList.getLength(), 0);
             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
-            Assert.assertEquals(nodeList.getLength(), 2);
+            Assert.assertEquals(nodeList.getLength(), 1);
             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_wsc0502_DerivedKeyToken.getNamespaceURI(), WSSConstants.TAG_wsc0502_DerivedKeyToken.getLocalPart());
             Assert.assertEquals(nodeList.getLength(), 2);
-            nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_wsse_KeyIdentifier.getNamespaceURI(), WSSConstants.TAG_wsse_KeyIdentifier.getLocalPart());
-            Assert.assertEquals(nodeList.getLength(), 2);
-            Attr attr = (Attr) nodeList.item(0).getAttributes().getNamedItem(WSSConstants.ATT_NULL_ValueType.getLocalPart());
-            Assert.assertEquals(attr.getValue(), WSSConstants.NS_THUMBPRINT);
-            attr = (Attr) nodeList.item(1).getAttributes().getNamedItem(WSSConstants.ATT_NULL_ValueType.getLocalPart());
-            Assert.assertEquals(attr.getValue(), WSSConstants.NS_THUMBPRINT);
             nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
             Assert.assertEquals(nodeList.getLength(), 1);
         }
@@ -725,54 +720,6 @@ public class DerivedKeyTokenTest extends
         }
     }
 
-    @Test
-    public void testEncryptSignatureOutbound() throws Exception {
-        ByteArrayOutputStream baos = new ByteArrayOutputStream();
-        {
-            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
-            WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.ENCRYPT_WITH_DERIVED_KEY, WSSConstants.SIGNATURE_WITH_DERIVED_KEY};
-            securityProperties.setOutAction(actions);
-            CallbackHandlerImpl callbackHandler = new CallbackHandlerImpl();
-            securityProperties.setCallbackHandler(callbackHandler);
-            securityProperties.setSignatureAlgorithm("http://www.w3.org/2000/09/xmldsig#hmac-sha1");
-            securityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
-            securityProperties.setSignatureUser("receiver");
-            securityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
-            securityProperties.setEncryptionUser("receiver");
-            securityProperties.setEncryptionKeyIdentifier(WSSecurityTokenConstants.KeyIdentifier_ThumbprintIdentifier);
-            securityProperties.setDerivedKeyTokenReference(WSSConstants.DerivedKeyTokenReference.EncryptedKey);
-
-            OutboundWSSec wsSecOut = WSSec.getOutboundWSSec(securityProperties);
-            XMLStreamWriter xmlStreamWriter = wsSecOut.processOutMessage(baos, "UTF-8", new ArrayList<SecurityEvent>());
-            XMLStreamReader xmlStreamReader = xmlInputFactory.createXMLStreamReader(this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml"));
-            XmlReaderToWriter.writeAll(xmlStreamReader, xmlStreamWriter);
-            xmlStreamWriter.close();
-
-            Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
-            NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
-            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
-
-            nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_wsc0502_SecurityContextToken.getNamespaceURI(), WSSConstants.TAG_wsc0502_SecurityContextToken.getLocalPart());
-            Assert.assertEquals(nodeList.getLength(), 0);
-            nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
-            Assert.assertEquals(nodeList.getLength(), 2);
-            nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_wsc0502_DerivedKeyToken.getNamespaceURI(), WSSConstants.TAG_wsc0502_DerivedKeyToken.getLocalPart());
-            Assert.assertEquals(nodeList.getLength(), 2);
-            nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_wsse_KeyIdentifier.getNamespaceURI(), WSSConstants.TAG_wsse_KeyIdentifier.getLocalPart());
-            Assert.assertEquals(nodeList.getLength(), 2);
-            Attr attr = (Attr) nodeList.item(0).getAttributes().getNamedItem(WSSConstants.ATT_NULL_ValueType.getLocalPart());
-            Assert.assertEquals(attr.getValue(), WSSConstants.NS_THUMBPRINT);
-            attr = (Attr) nodeList.item(1).getAttributes().getNamedItem(WSSConstants.ATT_NULL_ValueType.getLocalPart());
-            Assert.assertEquals(attr.getValue(), WSSConstants.NS_THUMBPRINT);
-            nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
-            Assert.assertEquals(nodeList.getLength(), 1);
-        }
-        {
-            String action = WSHandlerConstants.ENCRYPT + " " + WSHandlerConstants.SIGNATURE;
-            doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
-        }
-    }
-
     @Test(dataProvider = "versionProvider")
     public void testEncryptSignatureInbound(int version) throws Exception {
 
@@ -838,4 +785,5 @@ public class DerivedKeyTokenTest extends
             Assert.assertEquals(nodeList.getLength(), 0);
         }
     }
+    
 }



Mime
View raw message